rprf Menu

About

Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

November 6, 2017

My Fingertips, My Data

I am not a user of old-style financial services. While I remember learning how to balance a checkbook, I never had to do it, since I never had checks. Recently, my financial adviser suggested several mobile applications that could help me manage my finances in a way that made sense to me. I researched them, evaluated a few, and decided which one I thought would be the best. I'm always excited to try new apps, hopeful that this one will be the one that will simplify my life.

As I clicked through the process of opening an account with my new financial management app, I entered the name of my financial institution (FI), where I have several accounts: checking, savings, money market, and line of credit. The app identified my credit union (which has over $5 billion in assets and ranks among the top 25) and entered my online banking credentials—and then I was brought up short. The app was asking for my routing and account number. As I said, I don't own any checks and I don't know how to find this information on my credit union's mobile app. (I do know where to find it using an internet browser.) I stopped creating my account at this point and have yet to finish it up.

I later discovered that if I banked with one of the larger banks, for which custom APIs have been negotiated, I would not have been asked for a routing and account number. I would have simply entered my online login details, and I'd be managing my finances with my fingertips already. I started digging into why my credit union doesn't have full interoperability.

In the United States, banking is a closed system. APIs are built as custom integrations, with each financial institution having to consent for third parties to access customer data. However, many FIs haven't been approached, or integration is bottlenecked at the core processor level. It is bottlenecked because if they deny access to customer data (which some do), the FI has no choice in the matter.

New Consumer Financial Protection Bureau (CFPB) guidance on data sharing and aggregation addresses the accessibility and ownership issue. The upshot of the CFPB's guidance is that consumers own their financial data and FIs should allow sharing of the data with third-party companies. But should doesn't equal will or can.

The CFPB guidance, though not a rule, is in the same vein as the European Union's PSD2 (or Directive on Payments Services II) regulation, whereby FIs must provide access to account information with the consumer's permission. This platform, which represents an open banking approach, standardizes APIs that banks can proactively make available to third parties for plug-and-play development.

While open banking is a regulatory requirement in Europe, market competition is driving North American banks to be very interested in implementing open banking here. An Accenture survey recently found that 60 percent of North American banks already have an open banking strategy, compared to 74 percent of European banks.

It is no surprise that bankers are becoming more comfortable with the shift-in-ownership concept. FIs have been increasingly sharing their customers' data with third parties. Consumer data are what fuel organizations like credit agencies, payment fraud databases, identity and authentication solutions, and anomaly detection services, to name a few. As these ownership theories change, we will also need to see new approaches to security. What are your thoughts about open banking?

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

October 16, 2017

No Magic Bullet for Preventing Data Breaches

Much has been written about the Equifax data breach, including a Take On Payments piece several weeks ago. Since the announcement of the breach in early September, my LinkedIn timeline has been filled with articles and messages from sales and development professionals claiming that their technologies and solutions could have prevented the Equifax breach. Unfortunately, the weakest leak isn't a technology problem or issue. It is, and will continue to be, the human element.

Before I hear from the sales and development professionals I just referred to, let me say that I believe that technology does play an important role in mitigating data breaches. For example, statistics show that homes equipped with a security system—"hard targets"—are significantly less likely to be burglarized than homes without them—"soft targets." I suspect the same is true for companies and data breaches in that those who do a better job of securing their data with technology are harder targets than those who do not. However, technology is only one aspect of preventing data breaches—which brings us back to the human element.

We are the weakest link. We architect and program security systems with flaws. We fail to properly update software or install patches on a timely basis. We open suspicious attachments on emails. We sometimes visit dubious websites and click on suspicious ads or links. We divulge too much information over social media. We share sensitive information with people we think we know and who we think are friendly. And we are mistake- and accident-prone. Education does and will continue to help, but humans will continue to make mistakes and be accident-prone, thus data breaches will remain an ongoing problem.

The late, great musician Tom Petty said, "Music is probably the only real magic I have encountered in my life. There's not some trick involved with it. It's pure and it's real." While Petty's remark that music is probably the only real magic is debatable, there is no debating that data breach prevention has no magic bullet. Educating people remains critical, but, as is all too often the case, education also ends up falling short. As a risk expert, I really wish that I had the answer to preventing data breaches. Unfortunately, human actions trump any answers that I might have. Given the grim outlook for data breaches, it is imperative for companies and individuals to have a plan in place to minimize the damage when a data breach occurs.

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

October 2, 2017

A Record-Breaking Season of Hurricanes and Data Breaches

I lived in the panhandle of Florida in 2005, during a record-breaking hurricane season. Four hurricanes that started in the Atlantic—including Katrina—reached Category 5 status that season. That disastrous hurricane season seemed unsurpassable. Yet hurricane Harvey and Irma set new records (both made first landfall in the United States as Category 4 hurricanes).

As Hurricane Irma made its destructive way across the Caribbean, a different kind of disaster was also setting records. On September 7, Equifax announced a data breach potentially affecting most U.S. adults. Could this year also prove to be a record-breaking year for data breaches? According to the Identity Theft Resource Center (ITRC), there are already 976 on the books. Breaches reached a record high of 1,093 in 2016—a substantial hike of 40 percent over the near-record high of 780 reported in 2015.

Truth be told, we can't be sure these data breach "records" are even accurate. Data breach notification laws vary by state in terms of definitions and standard reporting elements. Even the ITRC questions whether there actually are more breaches or the numbers have risen because more states are requiring public release of information on them.

The ITRC Breach Report is a compilation of breaches confirmed by various media sources and notification lists from state governmental agencies. This list is updated daily and published each Tuesday. The ITRC has been tracking breaches since 2005, but only since 2010 has that tracking included the information that has been exposed. Even so, many notifications made available do not include what damages, or types of records, were at stake.

To that point, we don't understand the extent victims will suffer when, for example, card information is stolen along with Social Security numbers. We have yet to see standard data on how fraud trends morph when a certain type of data breach occurs. Lack of correlation could be a risk to consumers.

With data breaches, as with hurricanes, we can respond better if we know what is at stake. Is it time for states to adopt a uniform set of statutes regarding data breach notifications? What do you think?

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

September 11, 2017

Identity Theft Part 2: Prevention

In an August 28 post, I wrote about the growing problem of identity theft. Criminals can be a determined lot, and no single tactic is 100 percent perfect. Still, there are a number of measures you can take to reduce your and your family's risk of becoming a victim of identity theft.

These tactics include:

Contact the three major credit bureaus and request the creation of a credit file of any minor children and then place a "freeze" on the credit record. The Social Security numbers of minors are a favorite target in identity theft schemes since years go by before children reach majority age and apply for credit. Unfortunately, no federal law addresses a credit freeze capability for minors, so the ability to do so varies with each state, as do any applicable fees.

You should consider placing a credit security freeze on your account, too. Such a freeze blocks access to your credit file without your permission. Again, the requirements and fees, as well as the process for removing a freeze (permanently or temporarily) vary with each state.

Take advantage of reviewing your credit report once a year at no charge with all of the major credit bureaus to spot any accounts that may have been opened without your knowledge. There are a number of companies offering to help you review your credit report (sometimes for a fee), but you should go to the official site annually to access your reports at no charge.

Secure your Social Security number and provide it only to third parties when absolutely necessary. You should not carry it with you in case your wallet or purse is lost or stolen.

Promptly review account statements including utility bills to verify transactions to ensure that account information such as contact email address and phone numbers have not been altered.

Collect your mail daily and place delivery holds on mail when you will be away from home for three or more days.

Destroy any credit offers you do not plan to accept. If you do not wish to receive prescreened credit and insurance offers, you can opt out by calling (888) 567-8688 or visiting optoutprescreen.com.

Shred other documents containing personal or financial information to prevent criminals going through your garbage to find such information.

We hope this information will be helpful in stemming the growing tide of identity fraud in this country. If you have other suggestions, please share them.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

August 28, 2017

Identity Theft: A Growing Epidemic

I recently attended a conference that explored improvements in identifying and authenticating individuals. Many of the sessions focused on identity theft. While the conference primarily targeted law enforcement, immigration control, and the military, many of the lessons can easily apply to the public sector. A recent industry report validated the conference's focus, noting that in 2016, 15.4 million Americans were victims of identity theft, an increase of 18 percent from the previous year.

Identity theft (also called identity fraud) covers a wide range of crimes in which the criminal obtains and illegally uses another person's personal information in a fraudulent or deceptive manner, typically for economic benefit. In most cases, the criminals get personal information through a data breach, but malware on a computer or mobile phone or email phishing are other sources. Sometimes criminals can get enough personal information from public data—such as property and voter records, as well as social media accounts—to create a false identity and commit a crime.

Social Security numbers appear to be the most valuable information element in creating false identities. For this reason, legislation was passed in 2015 mandating that the Centers for Medicare and Medicaid Services (CMS) remove Social Security numbers from Medicaid cards. CMS recently announced that it will reissue Medicaid cards in April 2018 with a new beneficiary identification scheme.

The criminal actions of identity theft include using account numbers to obtain merchandise that can be monetized, filing fraudulent tax refund returns, and applying for credit to buy cars, lease homes, or even get home equity lines of credit. Outside the financial services arena, identity theft crimes include obtaining medical services, social program benefits, and false identification documents.

The Identity Theft Resource Center is a nonprofit organization established in 1999 to help identity theft victims resolve their cases and to broaden public education and awareness of identity theft, data breaches, cybersecurity, scams and fraud, and privacy issues. The center also tracks the number of data breaches across five industry sectors. As this chart shows, businesses remain the number one target for data breaches, and the number of attacks targeting businesses increased 4.4 percent during the first half of 2017 compared to that same period in 2016.

The increased use of chip cards at merchant terminals has made it more difficult for the criminal element to commit point-of-sale card fraud. Meanwhile, however, overall identity theft fraud is on the rise. So how do we combat this growing threat? We will look at some threat mitigation tactics and tools in a future post.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

July 28, 2017

Are Consumers Out of Touch?

According to the Identity Theft Resource Center (ITRC), 791 data breaches occurred in the first half of 2017, an increase of 29 percent over the first half of 2016. This rising incidence of data breaches is a continuation of a trend, as the 1,093 data breaches tracked by the ITRC in 2016 represented a 40 percent increase over breaches in 2015. As data breaches continue to proliferate, I would expect consumers to be very concerned that their payment credentials (credit, debit, and bank account numbers) are at risk of being compromised. Apparently, my expectations are a bit off, which is both puzzling and alarming.

In a just-released report on a survey conducted in May, Transaction Network Services found that only 46 percent of U.S. adults believe that a data breach may have exposed their credit or debit card information. In 2015, 60 percent of the respondents had that fear. So evidence exists that data breaches are on the rise, yet consumers have less fear today than they did in the past.

In its review of the 2017 data breaches, the ITRC found that only 13 percent resulted in the exposure of card data. However, this figure is up from 10 percent in 2016. Social Security numbers appear to be the prime target, with 60 percent of breaches exposing them. Small wonder, as this information is critical for committing identity theft. Why steal a card number when you can steal a Social Security number and apply for any number of credit cards?

I would like to think that, because the industry is making great strides in improving both transaction security, with initiatives such as EMV, and data security, with encryption and tokenization, consumers are feeling that their card data is more secure than it used to be. But the pessimist in me believes that consumers may be a bit naïve about the risks associated with data breaches, and may have also been inured by the proliferating occurrences. Or maybe because of limited liability protections, consumers just don’t care about their card data falling into the wrong hands from breaches. But now is not the time for consumers to drop their guard as data breaches—more specifically, breaches of card data—are on the rise. They must continue to take steps to protect themselves from falling victim to card breaches, such as keeping debit card PINs private and examining credit card and bank statements regularly for fraudulent transactions.

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

April 17, 2017

Will the Password Ever Die? Part 1

It has been less than five years since the magazine Wired, in its November 2012 cover story, called for the demise of the password. It has been more than 13 years since Bill Gates called for the elimination of the password at a 2004 RSA conference. Despite these calls to action, the user ID and password remain the most common form of authentication that consumers use online.

Why has the password continued to defy its terminal prognosis? Several reasons come to mind. It remains the most ubiquitous authentication methodology. Even when you factor in the significant costs of companies supporting the need for password resets, I suspect the ongoing operating costs are lower than for other forms of authentication. The reality is that the password is generally a sufficient security tool for accessing low-value applications.

So why is the password criticized so often? Most of the weaknesses in the password are based on the latitude that customers have with selecting and managing their passwords. Surveyed consumers claim to have security in mind when they create passwords, but we have seen the stories about the most common passwords being "password" and the numbers "1-2-3-4-5-6." There is also the practice of using the same password for multiple sites. Frequently, the consumer is not required to use special characters (or the application doesn't accept special characters), nor to change their password on a regular basis.

Despite the frequency of data breaches and all the fallout that comes from them, online merchants are extremely leery of adding additional overt authentication requirements (multi-layered or multi-factor) for fear consumers would abandon their shopping sessions. Given that merchant reluctance along with consumers' general exemption from financial liability if fraudulent transactions are made when their account is hacked and online access credentials are compromised, how likely is it that password weaknesses will improve? So what can be done to strengthen authentication and produce a higher level of confidence that the customer generating a particular transaction is, in fact, the person authorized to perform that transaction?

We will look at some research into the consumer's willingness to adopt additional or alternative authentication methods within the next few weeks. Until then, let us know your suggestions for improving consumer authentication.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

With many websites willing to "remember" passwords for future use, it is no surprise that some groups would not want to give up using something they don't need to remember. Perhaps some vendors or banks should turn this option off, in order to protect some consumers from themselves.

As a consumer, I would appreciate a vendor, whether it be a shopping site, bank, medical heath record site, etc. , to provide an easy to use software VPN application. Besides passwords, knowing that the link between my endpoint and the other is protected by more than a password, or internet security (https) would be wonderful. Layered security is really the key.

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

August 15, 2016

The Personal Cost of Fraud

Last week's post by my colleague Doug King described the check fraud that took place after someone burglarized his wife's car and stole her wallet, including her driver's license and credit and debit cards. The frequency and magnitude of data breaches and constantly reading and researching payments fraud as part of my job have probably numbed me to the personal impact of fraud. When discussing the likelihood of becoming victims of some sort of identity theft fraud, we jokingly paraphrase the slogan in the South about termite infestations: "It's not a matter of if, it's a matter of when." Given the data breaches and information available through public records, we operate under the assumption that the criminal element has all the information they need to perpetrate fraud against us and, for those of us who haven't already been victimized, it is likely to happen in the near future. A pessimistic outlook for sure, but one I fear is realistic.

I still get frustrated when I see the many studies that show that, despite consumers' concern about the security and privacy of their transaction and personal information, the vast majority do not adopt strong security practices. They use easy-to-guess passwords or PINs and often use the same user ID and password for their various online accounts, from social media to online banking access. I believe that many financial institutions (FI) and ecommerce providers have passively supported this environment in that they often do not require customers to use stronger practices because they don't want to incur the customer service cost associated with password resets or customer abandonment. The lack of consistent password formatting structures adds to the confusion (some require special characters and others don't allow them).

I certainly don't hold myself out as the poster child for strong security, but our family has adopted a number of the recommended stronger security practices. These include using a simple compound password structure that creates a separate password for each application, creating a more complex password structure for financial applications, establishing filter rules designed to spot spam and phishing emails, and conducting a frequent review of financial accounts to spot unauthorized transactions.

While liability protection laws and regulations generally hold a consumer financially harmless, there clearly is a social and individual cost associated with fraud from the time spent dealing with law enforcement and FI representatives to the issue of not being able to access the funds fraudulently taken until reimbursement is made. Perhaps Doug's wife's requirement for her FI to provide a stronger level of authentication reflects a changing sense of the need by the general public for stronger security practices. I certainly hope so.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

David,

Great article highlighting the importance of a consumer experience that includes creating a trustworthy system. "Friction-less" transactions should not be the only driver in the equation. As well, friction has become an ambiguous over used term, that has yet to be measured or defined consistently.

New products in market now, offer low cost alternatives that protect consumers through a simple process, build trust in the system, while alleviating consumer fears and worries that their cards will be compromised. It's time for the industry to think about these solutions differently and change the paradigm. Rolling out a fraud prevention solution doesn't mean compromising the purchasing process. Instead it may actually help create greater consumer peace of mind.

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

April 25, 2016

Be Careful, Be Very Careful

Less than halfway through the spring season of banking and payments conferences, the dominant theme of cybercrime is ringing loud and clear. In the 2015 conferences, it was virtual currency, but this year, it is the threat of cyberattacks against individuals and business in both widespread and singular manners. At a payments conference last week, a representative of the Internet Crime Complaint Center (IC3) told the session audience about her center's work. The IC3 has served since 2000 as a conduit for the public to provide information to the FBI regarding suspected Internet-facilitated criminal activity. IC3 tracks and investigates hacking, money laundering, identity theft, advanced fee, and ransomware schemes. It also tracks and investigates efforts to steal intellectual property and trade secrets.

In its latest annual report, IC3 provides detailed statistics on Internet-related complaints and trends. In 2014, the center received almost 270,000 complaints, accounting for more than $800 million in losses. Average monthly complaints received were 22,452. Complaint volume peaked in July at 24,521; the month with the fewest was February, with 20,888.

I asked the IC3 representative about the top complaints the unit was currently seeing. She indicated that email compromise of targeted businesses was the primary complaint and the one that generally resulted in the highest financial loss per complaint. It is common for employees in accounting areas to be targeted. They receive spoofed emails instructing them to initiate wire transfers or to change invoice remittance payments to fraudulent parties and locations, often accounts at financial institutions located in eastern Europe or the Asian-Pacific region. Although representing less than 1 percent of the total complaints filed in 2014, the losses from business email compromise accounted for 28 percent of the total losses reported, and from January 2015 to January 2016 the loss rate increased 270 percent.

Advanced fee schemes involving home rentals or sales, automobile sales, dating services, and lottery/prize winnings are also common. As the name implies, the criminals gain the confidence of victims and demand upfront payment as a sign of good faith. Once they receive the first payment, they will often try for additional payments before disappearing.

Finally, intimidation or extortion schemes are becoming more prevalent. The criminal generally contacts the victims by phone, accuses them of being past due on tax payments or utility bills, and says if immediate payment is not made, their property will be confiscated or they will be arrested. Often the criminal has used social engineering or public records to obtain legitimate data to make their representation of the agency seem more legitimate.

The size and frequency of data breaches of financial institutions, retailers, health care and insurance companies, and government agencies have led some people to conclude that just about everyone's personal identification information has been compromised to some level. I believe it is sensible to be a bit distrustful and apprehensive about the legitimacy of offers or information you might receive through emails or websites, especially those with which you are unfamiliar. Many of the attempts are easy to spot but many others involve highly sophisticated techniques, so one should be extremely careful when on the Internet.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

March 21, 2016

The Insider on the Outside

Having had a few days to digest my RSA Conference 2016 experience (and let my feet recover), I'm not sure whether to be more concerned about cybersecurity challenges or more at ease due to the sheer number of solutions on display that are available to mitigate these challenges. In reality, my emotions are mixed.

On the one hand, the cybersecurity threat is real and spreading across all types and sizes of businesses and government agencies. On the other hand, information sharing is taking place across, and within, industries like never before, and technology is being harnessed in an effort to strengthen defenses against the latest cybersecurity threats. But my biggest takeaway from the week might be different from that of the many technology evangelists and cyber risk experts that I encountered: the human element might be the most important element in mitigating data loss risks.

The risk of data loss due to the human element is quite substantial and probably merits a paper on its own or perhaps a dedicated Take on Payments series. Today, I'm going to focus on a single aspect of the human element: the expanding nature of the insider threat. In a Take On Payments post from the summer of 2013, I discussed some access and security management principles to thwart malicious behavior from an insider.

Traditionally, an insider has been thought of as an employee. That definition has broadened as organizations outsource more internal-support functions to third-party providers. Much has been written and discussed concerning regulatory and compliance issues related to third-party providers, and this notion of the "outside insider" is a logical extension of a company's risk management practice. The insider threat is real and costly. According to data from the Ponemon Institute, malicious insider attacks cost companies an average of about $144,000 annually.

Ensuring that any third-party provider has the necessary policies and procedures in place to secure your data from outsiders is paramount, but what about the sufficiency of their controls to protect your data from potential bad actors within these third parties? Have you given much thought to this notion of the "outside insider"? If you have, what recommendations or best practices do you have to avoid becoming a victim of a malicious insider on the outside?

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.